Project Management

At the Risk of Causing Offense...

From the Game Theory in Management Blog
Modelling Business Decisions and their Consequences

About this Blog


Recent Posts

Munchkin Project Management

How Far Away Are We From PM Robots?

Is It Standard, Or Is It Quality?

You Can Be Creative, But Don’t Be Dumb

Finally! A Use For Risk Management!

Categories: Risk Management

That was great of my old friend, Stanly Raspberry, Private Eye, to convey a story in my last blog, about how useless it was to have risk analyst Myron Tittle tag along with him on his last case, but I’m afraid Stanly’s points were a bit subtle. So, I’ll be a little bit more blatant: much of what is presented as modern risk management is fraudulent, and a complete waste of money and time.

I offer a more thorough debunking of current risk management theory in (Marlin Perkins moment alert!) my new book, Game Theory in Management, Modeling Business Decisions and Their Consequences (, but, for this blog, a couple of well-placed arguments should get the discussion rolling (or roiling).  I want to start by picking off that most irksome of risk analysts’ assertions, that “risk management” also includes “opportunity.” Note the gratuitous inclusion of the word in the Project Management Institute’s (PMI®’s) PMBOK Handbook Series on the subject, Project and Program RISK MANAGEMENT, A Guide to Managing Project Risks and Opportunities (PMI Publishing, 1992).  The risk management aficionados simply love to claim that their Gaussian curve-based models can somehow quantify how the future will unfold, so, naturally, they simply had to change the definition of “risk” to include the good with the bad. Hence, the coining of the term “upside risk,” and the inclusion of the management of upside risk, or opportunity, in subsequent PMI publications that deal with the subject. Here is a brief list of reference works that exclude any mention of “opportunity,” or, indeed, anything but hazardous or negative events being associated with the word “risk”:

·         Webster’s New International Dictionary, Second Edition, Unabridged (this book weighs 16 pounds)

·         Webster’s New Collegiate Dictionary, 8th Edition

·         The American Heritage Dictionary, 2nd College Edition

·         The Oxford English Dictionary (which, incidentally, included the word’s etymology as coming from the Latin phrase “to run into danger.”)

But, let the Project Management Institute issue “guidance”with an utterly re-defined “risk,” and all right-thinking managers must immediately adopt the new version!

Current risk analysis techniques rely to a high degree on the experiences of the project’s experts to provide best-case, worst-case, and most-probable scenarios to serve as the basis for the estimators’ cost baselines and contingency reserves. Take away the statistical analyses, the confidence intervals and Monte Carlo simulations, and this is what you have – not what went before, but what those creating the baselines perceive as what went before. Our internal narratives – including the ones that explain why the past unfolded the way it did – are full of cognitive biases, rendering the strength of our causality analyses far weaker than we believe them to be (hence, quasi-surreal events like the celebration of Groundhog Day). Why would anyone believe that, once we flip these narratives forward across the Time Now line, they can provide a workable structure for how the future will come about? And no amount of Gaussian-curve-based models overlaying these narratives can magically bestow validity to them.

As I discuss in Game Theory in Management, it’s another example of a management information system far outstripping its epistemological boundaries, and its adherents being placed in the position to having to promise to be able to return information concerning the unfolding of future events, which is obviously absurd.  Nassim Taleb, in his wonderful work The Black Swan, The Impact of the HIGHLY IMPROBABLE (Random House Trade Paperback Edition, 2010) had these two gems:

·         Also, many readers (say, those who work in forecasting or banking) do not often understand that the “actionable step” for them is to simply quit their profession and do something more ethical. (page 334)

·         This proves that everything relying on “standard deviations,” “variance,” “least square derivation,” etc. is bogus. (page 355)

And yet, a Google search on the term “risk management” returned over 63 million results (June 17, 2012), many of them organizations that offer to perform risk management services. I find it ironic that when I write about the accuracy and reliability of Earned Value information, I invariably receive comments along the lines of “It’s only a tool! It has little to do with project success!” But, let me cast any dispersions against the, in my opinion, vastly over-sold efficacy of risk management techniques, and the exact opposite happens, and to a significantly higher degree. In my previous gig, writing The Variance Threshold column for PMNetwork magazine, people would write the managing editor demanding my firing for daring to state that the definition of risk had nothing to do with “opportunity.”

So, that being my experience, I believe there to be a high probability of this blog generating some lively discussion – unless, of course, the risk management types, after having read this piece, are willing to concede the argument.

And I find that unlikely.

Posted on: June 17, 2012 08:27 PM | Permalink

Comments (3)

Please login or join to subscribe to this item
OK, so there is often a personal bias, occasionally encouraged by managers who want a Goldilocks risk profile. That is nothing new. The same could be said of Business Case Analyses. I have never read one that was not a boring work of fiction aimed at justifying a decision some manager had already made to move forward with a particular strategy. Block checking exercises do not add much value...

The quality and effectiveness of a Risk Management Plan and the relevance of risks you capture and address will likely hinge upon how well you engage the correct stakeholders (often worker-bees) in describing each risk and performing the requisite qualitative and quantitative assessments. I do not recommend the use of statistical tools unless the parameters involved are well defined and tracked consistently enough to provide bullet proof and significant data sets. A data set constructed or "hatched" for one project in a limited setting (single organization) is likely invalid.

As a Project Manager I want to know what are the real threats to project success, not what must I write to keep some finance geek happy. The mitigation strategies (not the chances of risks becoming issues) should define contingency costs, and it is silly to try to determine the likelihood they might be triggered to even one decimal place.

I expect the Risk Management process to be the place to identify bad stuff that might happen; I do not consider it the place to look for opportunities. If opportunities rear their lovely heads, I will pursue them forthwith, outside the Risk Management arena.

Are you implying that a risk management plan should cover negative opportunities?

Yes, I'm still beating your wife...

Please Login/Register to leave a comment.


"Familiarity breeds contempt -- and children."

- Mark Twain